Aftershocks from Saturday’s KelpDAO hack are spreading through stablecoin markets in ways that weren’t immediately obvious.
In the 24 hours following the attack, Aave users borrowed approximately $300 million against their Tether stablecoin deposits. on the platform, according to data from Chaos Labs.
Rising borrowing is not a sign of demand; this is a sign that users cannot opt out. With stablecoin pools maxed out, depositors are taking out loans at a loss from their own funds simply to access liquidity.
Think of it this way: imagine a bank refusing to process customers’ escrow withdrawal requests. So, in desperation, customers take out loans against these deposits. This credit creation is not healthy, but is a desperate move to obtain liquidity.
“We are now seeing negative side effects of illiquidity in Aave’s stablecoin markets,” said monetsupply.eth, pseudonymous head of strategy at Spark, a rival DeFi lending platform. “Since users cannot withdraw due to 100% utilization, there has been an increase of approximately $300 million in USDT-collateralized borrowing over the past day since the rsETH exploit.”
To understand how a single exploit on KelpDAO ended up simultaneously locking every stablecoin release on Aave, you need to understand how the system is supposed to work – and exactly where it broke.
What is Aave and how it is supposed to work
Aave is a decentralized finance (DeFi) protocol that allows users to lend and borrow cryptocurrencies without intermediaries. Think of it like a bank, except it runs entirely on code on a public blockchain, with no human gatekeepers.
Users deposit assets into loan pools and earn interest. Others borrow from these same pools by providing crypto assets as collateral, which exceeds the loan amount. The system is designed to automatically self-correct based on interest rates. When many people want to borrow, rates rise, making borrowing more expensive and encouraging lenders to deposit more. When demand falls, prices fall.
The entire system operates on a fundamental assumption: that there will always be enough liquidity – enough assets in the pool – so that lenders can withdraw their deposits when they want, and so that borrowers can liquidate their positions when they need to.
When that assumption collapses, everything else collapses. This is what happened after the KelpDAO exploit.
rsETH and the KelpDAO exploit
rsETH is a liquid re-staking ether token issued by KelpDAO.
When you stake ether (ETH), you lock it up to help secure the Ethereum network in exchange for a return, similar to interest on a bond. Some protocols issue a Liquid Staking Token (LST) which represents your staked ETH.
Re-staking goes even further, reusing these already staked assets to secure additional systems, effectively stacking yield upon yield. In return, you receive a receipt token representing your position. rsETH is one such receipt token and it has been widely used as collateral in the DeFi world.
On April 18, an attacker manipulated KelpDAO’s bridge infrastructure to release 116,500 rsETH, or approximately 18% of the token’s circulating supply, worth approximately $292 million. These fake uncollateralized tokens were immediately deposited into lending protocols, primarily Aave, to borrow real ETH and other assets such as wrapped ether (wETH) against them. Fake tokens in, real money out.
“That [borrowed] WETH is gone. The rsETH holding its place in the vaults is worth what an unsecured claim is worth – approaching zero on the L2 side, where over 20 chains hold bridged rsETH backed by a now-empty mainnet vault,” said 0xyanshu, a pseudonymous crypto operator known for his work around on-chain finance and risk.
Aave froze the rsETH markets on V3 and V4 within hours, with founder Stani Kulechov claiming the exploit was external and that Aave’s contracts were not compromised. This gel stopped the bleeding. But it also set off a chain reaction that saw borrowing increase by $300 million.
How $300 million in loans materialized in a single day
When news of the exploit broke, whales and big funds withdrew billions of dollars worth of cryptocurrencies from Aave’s liquidity pools within hours. Because they moved first and in large numbers, their withdrawals drained cash reserves.
“When the rsETH exploit occurred and AAVE incurred uncollectible debt, whales like Justin Sun, the MEXC exchange and others immediately withdrew billions from AAVE,” analyst Duo Nine said in an explanation. “Initially, the ETH market was at 100% utilization, meaning you couldn’t withdraw your ETH from AAVE.”
This quickly spread to the USDT and USDC pools, increasing their utilization rates to 100%, as over $6 billion in assets left the protocol in a matter of hours. Each lending pool holds a fixed amount of assets deposited by users. When every dollar of these assets has been borrowed, there is nothing left to withdraw.
“This is because AAVE lost over $6 billion in liquidity in the last 24 hours,” Duo Nine wrote. “As the whales withdrew their money, USDT and USDC also reached 100% utilization. These markets are now also stuck with stranded money.”
That’s when the $300 million secondary borrowing spree began.
Trapped USDT and USDC depositors, unable to simply withdraw their money, sought the only exit still available to them. They started by withdrawing loans from their blocked deposits.
“Some users decided to borrow against USDT/USDC and exit through other markets at a loss of 10-25%,” Duo Nine explained. “Basically, you borrow GHO/DAI/USDe against your locked USDT/C.” It was not a business strategy.
It was a desperate act to borrow at a loss with their own money, accepting 75 cents on the dollar, just to squeeze every last bit of liquidity out of the system. Aave allows users to borrow up to 75% of the total loan-to-value (LTV) ratio of their deposited collateral, depending on the asset and its risk parameters.
“At a maximum LTV of 75%, users with locked USDT deposits can withdraw up to 3/4 of the value of their Aave position. But this ends up reducing liquidity in other markets, with USDC and USDe markets now also 100% utilized,” observed monetsupply.eth, pseudonymous head of strategy at Spark, a rival DeFi lending platform.
For anyone looking at DeFi from the outside, the message is clear: “Decentralized” does not mean “risk-free.”
